Threat Intelligence Blog

Your Mobile Apps May Be Watching You

Posted November 19, 2013

Much has been written about the dangers of rogue mobile apps. What many users might not know is that in addition to malware, they could also be exposing themselves to hidden fees and unwanted tracking by downloading apps without understanding what permissions they’re giving them to share personal data.
Whenever a mobile device user downloads an app, he or she can review the app’s permission requests and cancel the download if the permissions are excessive or otherwise objectionable. However, a survey by the University of California, Berkeley found that only 17% of Android users pay any attention to permissions during installation. Meanwhile, security firm Bit9 analyzed 412,212 Android apps on the Google Play marketplace and flagged more than one quarter of them as being “high-risk” due to excessive permissions. This concurs with the research of Juniper Networks’ Mobile Threat Center, which examined the level of permissions requested by apps. Juniper Networks found that not only did a “significant number” of apps “contain permissions and capabilities that could expose sensitive data or access device functionality that they might not need,” they also had permission to access the Internet, which meant the exposed data could easily be transmitted to external servers. Of note, Juniper also found that free applications were 401 percent more likely to track user location and 314 percent more likely to access user address books than the paid versions.

Mobile device users downloading apps should be wary of apps that can make phone calls or send SMS messages. While apps such as Google Voice have legitimate uses for this function, it can also be used to call premium-rate numbers or text services, and the charges will show up on the user’s phone bill.

Apps that can find a device’s GPS or network-based location may also be a concern. This permission is vital for apps such as mapping or weather software to function correctly. However, if a mobile device user needs to remain “off the grid,” it is best to either turn off location tracking or not to download the app at all.

Finally, any app that requests permissions to read a user’s personal information, such as contacts or calendar data, needs to be examined closely. While replacement calendars, social networking software, and phone books would request this data, malware can also access this information. Unless it is clear why the app needs this information, it should be avoided.